Firewall Wizards mailing list archives

Re: Acqusition of time

From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 29 Jan 2003 10:53:38 -0500 (EST)

On Wed, 29 Jan 2003, Brian Monkman wrote:

Folks - I'm having a discussion with a few people and we have a 
question that we are interested in getting comments from the list on.

Are there any situations where a firewall's acqusition of time 
could/should be from a network time source? Not necessarily a public 
source, it could be an "internal" time source.


Could be, sure.


If there are situations where this makes sense, should these same 
firewalls have battery backed up clocks on board or would that be 
unnecessary?


Imagine you had some SQL servers which got hit with a worm that 
propogated, and you allowed all outbound traffic.  Let's say the worm 
generated enough traffic to fill up the state table on the firewall, and 
due to a bug it ended up rebooting.  Now, the internal network flood is 
still going on.  An attacker decides to take advantage of the mayhem to 
launch a real attack against you, and the NTP server isn't reachable 
because the switch it's sitting on has 8 vulnerable neighbors plugged into 
it....

What time gets written to the logs when the attack commences?  

Worse yet, let's say it's protecting a small business or a home and 
doesn't have all the good constant power that we tend to see in large 
companies...

While I've often said that it's a good thing to be able to take a cheap 
GPS and add a stratum 1 timeserver to a network, any time you add an 
external dependency, you really, really need to think through the 
scenerios, especially if you're going to have to take log files to court.

Paul
ps: Posting from home doesn't improve your odds ;)
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Acqusition of time Brian Monkman (Jan 29)
- Re: Acqusition of time R. DuFresne (Jan 29)
- Re: Acqusition of time Paul D. Robertson (Jan 29)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
  - Re: Acqusition of time Luis Bruno (Jan 29)
    - Re: Acqusition of time Charles W. Swiger (Jan 29)
- <Possible follow-ups>
- RE: Acqusition of time Noonan, Wesley (Jan 29)
  - RE: Acqusition of time dave (Jan 29)
    - RE: Acqusition of time Paul D. Robertson (Jan 29)
    - RE: Acqusition of time dave (Jan 29)
    - RE: Acqusition of time Paul D. Robertson (Jan 29)
    - RE: Acqusition of time dave (Jan 29)

(Thread continues...)